The DPC's handling of Subject Access Requests

The DPC is mandated to handle complaints from individuals, including requests for access to personal data (Article 15 GDPR). Article 15 GDPR contains a general obligation that firstly requires an organisation to confirm whether or not the individual’s personal data is undergoing processing.

In addition Article 15(1) GDPR entitles an individual to obtain information from an organisation concerning:

• the purpose for which personal data is being processed;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed;
• where possible, the envisaged period for which the personal data will be stored.

This information enables an individual to assess if the processing of their personal data is lawful and also ensures that they are in a position to exercise other rights under the GDPR, such as the right to erasure or rectification in certain circumstances.

In responding to a data access request, an organisation may be entitled to restrict the release of personal data if they can rely on restrictions in the GDPR and/or the Data Protection Act 2018. In such a case, the organisation must be able to demonstrate the reasoning for any restrictions.

In a case where records contain both the personal data of the individual as well as the personal data of another person(s), the GDPR (Article 15(4)) permits the organisation to withhold this information if its disclosure could adversely affect the other person(s) concerned. An example of this would be a case where medical records or the notes of a counselling session, for example, include information concerning both the individual as well as his/her spouse, former spouse, partner, children or other third parties. When considering the possible application of this GDPR restriction, an organisation should be able to demonstrate and have recorded the reasoning as to why it considers the restriction to be applicable along with details of how the decision was reached and the efforts made to consider the rights of all concerned (as outlined in the EDPB’s Data Subject Rights Guidelines).

Section 60(3)(b) of the Data Protection 2018 may also entitle an organisation to withhold information from an individual, to the extent that the information constitutes an expression of opinion about an individual given in confidence.

The DPC regularly handles complaints from individuals who are concerned that organisations have not addressed their request for access to their personal data appropriately. 

When handling a complaint from an individual, the DPC will generally examine any restrictions relied upon by the organisation to withhold an individual’s personal data to assess whether or not the restrictions have been correctly applied in the particular circumstances of the complaint. In examining the validity of the restrictions the DPC will contact the organisation and pose certain investigative questions that will assist the DPC in determining the validity of the restrictions applied in each case.

The DPC is acutely aware of the sensitivities around certain complaints. Any information provided to the DPC in this context when handling matters of particular sensitivity, is kept strictly confidential and not shared outside of the DPC.

In a case where records contain the personal information of both the requesting individual as well as other people (such as the individual’s spouse/partner/child), the rights of those other parties – including their right to life and physical integrity, have to be balanced against the right of the requesting individual to access information about what personal data relating to him/her might be included in those records. In other words, the right to obtain access to information about what personal data might be contained in any record does not automatically outweigh the rights of third parties.

Any restriction of the right of access or to information must be justified on an evidential basis, by reference to the specific context of the case concerned. In the case of a “mixed record” which contains both the personal data of the requesting individual as well as related third parties (such as the requesting individual’s spouse/partner/child), it is clear that an identified risk of harm to the spouse/partner/child, arising from the potential disclosure of the information to the requesting individual, could justify the withholding of the information concerned. Furthermore, in highly sensitive situations where the release of personal data is highly likely to result in significant harms and risks to other persons, the general presumption is that right of access can be restricted. Such decisions should be documented and the organisations concerned are required to cooperate in confidence with the DPC in the performance of its functions. The DPC is available to discuss with and advise organisations on the best approach and where necessary is also available to meet to explore particularly sensitive issues.